What is the right cloud strategy for the public sector?

Making use of the cloud much more widespread in government: that is the stated ambition of France’s Secretary of State for Digital, Mounir Mahjoubi. However, a number of precautions need to be taken when organizations delivering public services move into the cloud. Here are ten areas to consider in order to make the right decisions about the cloud in the public sector.

1 – The level of sensitivity of data and their location

All public organizations collect, store and process sensitive data: personal data on citizens and staff working for organizations (as defined by the GDPR and the CNIL, France’s data protection agency), health data (which must be hosted by approved providers), and central administrative or even top-secret defence data. The French government has announced that, as of 1 July 2018, the most sensitive data now has to be hosted in an internal cloud; lower sensitivity data can be entrusted to French hosting providers in a dedicated external cloud; and lastly low-sensitivity information can be hosted by (French or foreign) providers in an external cloud.

Nonetheless, the hosting of public data by American companies raises questions and concerns regarding their sovereignty, especially in the light of the Cloud Act, which authorises the US government to requisition data from these providers. Forthcoming guidelines from France’s Secretary of State for Digital following a consultation of leading players in summer 2018 should set out the French government’s official line, and thus help all public bodies make the right choices based on the data they process.

2 – Audits of existing hosting infrastructures

To make the right choices, audits of existing – internal or external – hosting infrastructures are necessary in order to draw up a digital transformation plan that meets the continuity of service and security levels required for the hosted data: this entails assessing the work needed to upgrade existing infrastructures, or potentially build a new data center, determining the criteria for challenging hosting providers, etc.

3 – Hybrid cloud: the cost of secure data

The government’s initial guidelines suggest that public bodies will in many cases end up opting for a hybrid cloud, combining their owner-managed data center with an outsourced cloud, in order to meet the security requirements of the different data types (ultra-sensitive, sensitive, and low-sensitivity) that they may need to process. Nonetheless, a hybrid cloud solution might prove sub-optimal given the marginal cost that it represents. Indeed, outsourced hosting is not always economically worthwhile, especially for a government agency that already has its own data center. So, before making any decision, you need to compare the costs of each scenario: do you invest in increasing the capacity of an operational owner-managed data center or use an external cloud?

4 – Which is the right cloud service based on the size of a public body?

One of the advantages of the cloud is that it is accessible to all public bodies, regardless of size, unlike an owner-managed data center, which requires a certain level of data for processing and the human resources to operate it. SaaS solutions (applications hosted in a cloud) are already available in the catalogue of UGAP (Union des Groupements d’Achats Publics), a government-owned procurement organisation. In PaaS (Platform as a Service) configuration, the layers managed by the end user are limited to data and applications: you do not necessarily need to have an IT department to manage it, so this option may be attractive to a large number of public bodies. IaaS (Infrastructure as a Service), meanwhile, requires a dedicated team to manage the operating system and middleware layers: it is therefore better suited to public bodies of a certain size which want, for instance, to deploy custom applications.

5 – Term and termination conditions of the contract

A contract with a cloud provider often takes the form of a framework agreement. According to article 78 of French decree no. 2016-360 of 25 March 2016 on public procurement contracts, the term of framework agreements cannot exceed four years for contracting authorities and eight years for contracting entities, except in duly justified exceptional cases. This four-year term very often proves too short given that upstream it takes on average 18 to 24 months to hybridize or relocate information systems. Moreover, the hosting contracts entered into by public entities include an early termination clause, as stipulated by the general administrative terms and conditions (CCAG) concerning Information and Communication Technologies (ICT).

These two points are obstacles for cloud operators when it comes to bidding for tenders. It is therefore up to the public body to negotiate and justify extending the term of the contract and relaxing early termination conditions.

6 – Connectivity and security

Barely mentioned in relation to the cloud, the question of connectivity can however be crucial, given the need to access hosted data and systems securely at any time. Before committing to a cloud project, public services need to weigh up various telecoms infrastructure parameters: the variety and associated cost of the external connectivity resources available, the quality of service provided on telecoms lines (bandwidth, latency, flow balancing system, etc.), and the level of security provided (encryption, firewalls, anti-DDoS systems, etc.). The investments needed to increase network connectivity and make it reliable are non-negligible additional costs in this type of project.

7 – The potential for pooling

Joint local authorities, mergers of municipalities and the pooling of resources in an area of competence are just some of the opportunities for overhauling information systems and pooling resources. By pooling resources, linked public organizations can achieve a critical mass enabling them to spread fixed costs over a larger community of users, negotiate more readily with cloud hosting providers, take the strain off IT teams and increase service levels thanks to more standardised operating procedures.

However, this requires the upstream implementation of governance between the various stakeholders (e. g. local authorities, universities or hospitals) and, depending on the nature of their needs, the design of a catalogue of services enabling them to access resources under fair and transparent conditions.

8 – The human factor

The transition to cloud technologies has implications for the organization of work and, therefore, for the staff responsible for operating IT infrastructures. The skills required are not the same, and some posts occupied by civil servants may even become obsolete. This transformation will necessitate planning, change management, the upgrading of workers’ skills and training of staff to manage these new services.

9 – Cost structures

The transition to the cloud changes an organisation’s accounting structure from a CAPEX to an OPEX model. But public organizations, conscious of the need to get the best bang for their buck, are often averse to approving an increase in operating budgets. This can be a major obstacle to the adoption of outsourced cloud services even though they may ultimately save organizations money. It is therefore up to the public authorities to adopt a total cost model (CAPEX + OPEX) to accurately assess the long-term cost burden of a hosting project, factoring in the benefits of modernizing public information systems, in terms of services delivered, efficiency and the security of processed data.

10 – Choice of providers

Choosing a cloud provider is a major challenge. The market is very atomized and it is hard to compare offerings with each other. Therefore a public organisation should not hesitate to seek a neutral consultant who will be able to help it choose the best offering based on its needs and priorities. Using pooled public procurement organisations, such as UGAP (see above), makes it possible to identify preselected providers for each type of need, from hosting strategy consulting to the implementation and operation of cloud technologies, and to speed up the public procurement process, by six months on average.